File name:

2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/9f4c5fac-f353-4540-a023-22eef3136b02
Verdict: Malicious activity
Analysis date: May 15, 2025, 21:27:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

BECD7005ECE0895216CC7811244F8D8F

SHA1:

CB7DCA91C348AA1D7AC027429BB93E91D465D103

SHA256:

43DD8F556669280935B894ECACAC2BDD176238998D2649AA6636B6503977490D

SSDEEP:

49152:5cMtGnePWkiCk7uScXIZ3cpD5oKhxc9gle5n1qfO0bWWgrHkj3rA8/2lN/HFVBBD:5cMSeP1k7uScE2DCKPcCe51qfO0xwsU3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • icsys.icn.exe (PID: 8068)
      • explorer.exe (PID: 8088)
      • svchost.exe (PID: 8128)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 8088)
      • svchost.exe (PID: 8128)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)
      • icsys.icn.exe (PID: 8068)
      • explorer.exe (PID: 8088)
      • spoolsv.exe (PID: 8108)

    • Starts application with an unusual extension

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)

    • Disables SEHOP

      • BraveUpdate.exe (PID: 7508)

    • Starts itself from another location

      • BraveUpdate.exe (PID: 7508)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • icsys.icn.exe (PID: 8068)
      • explorer.exe (PID: 8088)
      • spoolsv.exe (PID: 8108)
      • svchost.exe (PID: 8128)

    • Creates/Modifies COM task schedule object

      • BraveUpdateComRegisterShell64.exe (PID: 7628)
      • BraveUpdateComRegisterShell64.exe (PID: 7656)
      • BraveUpdateComRegisterShell64.exe (PID: 7684)
      • BraveUpdate.exe (PID: 7596)

    • Reads security settings of Internet Explorer

      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7772)

    • Executes as Windows Service

      • BraveUpdate.exe (PID: 7816)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 8068)
      • spoolsv.exe (PID: 8108)

    • There is functionality for taking screenshot (YARA)

      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7772)
      • BraveUpdate.exe (PID: 7816)

    • Creates or modifies Windows services

      • svchost.exe (PID: 8128)

  • INFO

    • The sample compiled with english language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)
      • icsys.icn.exe (PID: 8068)
      • explorer.exe (PID: 8088)
      • spoolsv.exe (PID: 8108)

    • The sample compiled with arabic language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • Checks supported languages

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7560)
      • BraveUpdate.exe (PID: 7596)
      • BraveUpdateComRegisterShell64.exe (PID: 7628)
      • BraveUpdateComRegisterShell64.exe (PID: 7656)
      • BraveUpdateComRegisterShell64.exe (PID: 7684)
      • BraveUpdate.exe (PID: 7716)
      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7772)
      • BraveUpdate.exe (PID: 7816)
      • icsys.icn.exe (PID: 8068)
      • explorer.exe (PID: 8088)
      • spoolsv.exe (PID: 8108)
      • spoolsv.exe (PID: 8148)
      • svchost.exe (PID: 8128)

    • Create files in a temporary directory

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • icsys.icn.exe (PID: 8068)
      • explorer.exe (PID: 8088)
      • spoolsv.exe (PID: 8108)
      • svchost.exe (PID: 8128)
      • spoolsv.exe (PID: 8148)

    • The sample compiled with czech language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with german language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with Indonesian language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with korean language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with bulgarian language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with japanese language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with polish language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with russian language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with portuguese language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with turkish language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with slovak language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with swedish language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • Reads the computer name

      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7560)
      • BraveUpdate.exe (PID: 7596)
      • BraveUpdateComRegisterShell64.exe (PID: 7628)
      • BraveUpdateComRegisterShell64.exe (PID: 7656)
      • BraveUpdateComRegisterShell64.exe (PID: 7684)
      • BraveUpdate.exe (PID: 7716)
      • BraveUpdate.exe (PID: 7816)
      • svchost.exe (PID: 8128)
      • BraveUpdate.exe (PID: 7772)

    • The sample compiled with chinese language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • Brave updater related mutex has been found

      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7596)
      • BraveUpdate.exe (PID: 7716)
      • BraveUpdate.exe (PID: 7772)
      • BraveUpdate.exe (PID: 7816)
      • BraveUpdate.exe (PID: 7560)

    • The sample compiled with french language support

      • BraveUpdate.exe (PID: 7508)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)

    • The sample compiled with Italian language support

      • BraveUpdate.exe (PID: 7508)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)

    • Process checks computer location settings

      • BraveUpdate.exe (PID: 7508)

    • Checks proxy server information

      • BraveUpdate.exe (PID: 7716)
      • BraveUpdate.exe (PID: 7772)
      • slui.exe (PID: 3020)

    • Reads the software policy settings

      • BraveUpdate.exe (PID: 7716)
      • BraveUpdate.exe (PID: 7816)
      • BraveUpdate.exe (PID: 7772)
      • slui.exe (PID: 3020)

    • Reads the machine GUID from the registry

      • BraveUpdate.exe (PID: 7716)
      • BraveUpdate.exe (PID: 7816)
      • BraveUpdate.exe (PID: 7772)

    • Creates files in the program directory

      • BraveUpdate.exe (PID: 7816)
      • BraveUpdate.exe (PID: 7508)

    • Manual execution by a user

      • svchost.exe (PID: 6040)
      • explorer.exe (PID: 6972)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 8088)
      • svchost.exe (PID: 8128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
20
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  braveupdate.exe braveupdate.exe no specs braveupdate.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdate.exe braveupdate.exe braveupdate.exe #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs svchost.exe no specs explorer.exe no specs slui.exe 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3020C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6040c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6972c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7320"C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7404"C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7428c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 
2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update Setup
Version:
1.3.361.151
Modules
Images
c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7508C:\WINDOWS\SystemTemp\GUMCFA7.tmp\BraveUpdate.exe /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none"C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdate.exe
2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Version:
1.3.361.151
Modules
Images
c:\windows\systemtemp\gumcfa7.tmp\braveupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7560"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvcC:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exeBraveUpdate.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\program files (x86)\bravesoftware\update\braveupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7596"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserverC:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exeBraveUpdate.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\program files (x86)\bravesoftware\update\braveupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7628"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe" C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exeBraveUpdate.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\program files (x86)\bravesoftware\update\1.3.361.151\braveupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
18 796
Read events
14 670
Write events
4 057
Delete events
69

Modification events

(PID) Process:(7404) 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7428) 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\BraveSoftware\Promo
Operation:writeName:StubInstallerPath
Value:
c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:path
Value:
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:UninstallCmdLine
Value:
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /uninstall
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\Clients\{B131C935-9BE6-41DA-9599-1F776BEB8019}
Operation:writeName:pv
Value:
1.3.361.151
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\Clients\{B131C935-9BE6-41DA-9599-1F776BEB8019}
Operation:writeName:name
Value:
Brave Update
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\ClientState\{B131C935-9BE6-41DA-9599-1F776BEB8019}
Operation:writeName:pv
Value:
1.3.361.151
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe
Operation:writeName:DisableExceptionChainValidation
Value:
0
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:brave_task_name_c
Value:
BraveSoftwareUpdateTaskMachineCore{0079883D-4BFC-4457-9507-EE9FAF217DDC}
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:brave_task_name_ua
Value:
BraveSoftwareUpdateTaskMachineUA{C17AEF7B-B9EF-4463-B097-7BF0DF1DE0F4}
Executable files
149
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdateComRegisterShell64.exeexecutable
MD5:603886C2DFAF72EE6A6BDD0A8E9117F6
SHA256:840DF16E062C3618E4C7058E4E784AFDDFC4B3E0492A8DE64FE91F18DE1346F4
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveCrashHandler64.exeexecutable
MD5:58573BC96B9554A219559779531E925B
SHA256:827F4A70AFE75A6B81A4DF2FA4842FFC5A62D061406736BE9BC0C74484570F4F
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveCrashHandlerArm64.exeexecutable
MD5:6866772A0DC4C7D9415F793B7E493633
SHA256:F290A5F0D249AFBEA4AE5173F4E6D6EED926748BBD872B488C82D1F0BEEE1628
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdateBroker.exeexecutable
MD5:EBCF9C326C3E444F59955374FB6C3FB5
SHA256:91549704A97276D2D635F7FFB09912E60ADE8E7D7C20951A3F3DE6EDF7066638
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdateCore.exeexecutable
MD5:727CADCA7E67757F5B59BF14A5E5E972
SHA256:6B0DB820DA7BBE869E467636A69A3CAE8308F78E87EEFBA57D20878FA91A43C2
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\psmachine_64.dllexecutable
MD5:AEE59FBB79BAAC50CA9078967B57BF4E
SHA256:91FA85317A119D39B56E061256A5D407053FFE0E36D1DEFB2AFB187107011A07
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\psmachine_arm64.dllexecutable
MD5:70F6CD69B463BBD428E23D98A9F59AA6
SHA256:82DF37917C462ECBF5F8BFAA05BE432BB5EEB9F93E6CDC61A52C1839D0555A11
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdateComRegisterShellArm64.exeexecutable
MD5:0B4C043FE5198D65816F84E3545E6D4E
SHA256:F2354D0E4FF44678754F12ED92E909F581BC281D2BAC5B744D8D034891859AE5
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveCrashHandler.exeexecutable
MD5:E32AF913C1976855A2593B794283881A
SHA256:3DC996A4698ACFF5D6719472D0A68650B73F5FBB98B08C9FA80AEFAC4ED1823C
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\psuser_arm64.dllexecutable
MD5:77326E978BD72693A25219096A7640C0
SHA256:3FD52FD665489BB823AA218D57AF218657D2E2AEA6A9ADD071A0284463E6FC7B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
55
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7716
BraveUpdate.exe
3.171.214.82:443
updates.bravesoftware.com
US
shared
3812
svchost.exe
239.255.255.250:1900
whitelisted
7816
BraveUpdate.exe
3.171.214.82:443
updates.bravesoftware.com
US
shared
7772
BraveUpdate.exe
13.32.99.123:443
dl.brave.com
AMAZON-02
US
whitelisted
7900
svchost.exe
3.161.82.8:443
updates-cdn.bravesoftware.com
US
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.131
  • 40.126.31.0
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.3
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.0
whitelisted
updates.bravesoftware.com
  • 3.171.214.82
  • 3.171.214.3
  • 3.171.214.112
  • 3.171.214.65
shared
dl.brave.com
  • 13.32.99.123
  • 13.32.99.23
  • 13.32.99.78
  • 13.32.99.14
whitelisted
updates-cdn.bravesoftware.com
  • 3.161.82.8
  • 3.161.82.23
  • 3.161.82.36
  • 3.161.82.75
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 23.216.77.32
  • 23.216.77.29
  • 23.216.77.31
  • 23.216.77.35
  • 23.216.77.21
  • 23.216.77.25
  • 23.216.77.33
  • 23.216.77.27
  • 23.216.77.30
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn